Skip to content
/ HideFromAMSI Public

Bypass AMSI and Executing PowerShell scripts from C# - using CyberArk's method to bypass AMSI

30 stars 12 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

0r13lc0ch4v1/HideFromAMSI

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
HideFromAMSI
HideFromAMSI
 
 
packages/Microsoft.PowerShell.5.ReferenceAssemblies.1.1.0
packages/Microsoft.PowerShell.5.ReferenceAssemblies.1.1.0
 
 
.gitignore
.gitignore
 
 
HideFromAMSI.sln
HideFromAMSI.sln
 
 
ReadMe.md
ReadMe.md
 
 

Repository files navigation

HideFromAMSI

HideFromAMSI is a simple C# example of how to Execute a PowerShell script from C# and Bypass AMSI using CyberArk's method to bypass AMSI.

This code doesn't open a PowerShell subprocess, but there are method that do, if you do open a PowerShell process, use the HookAmsiScanBuffer function before you decrypt the script. Moreover, in this code I used Mimikatz, but other scripts may need different code.

From what I've seen, it is better to open PowerShell (from C# using CreateOutOfProcessRunspace) as a subprocess and override that PowerShell's AMSI using HookAmsiScanBuffer (passing the PowerShellProcessInstance's handle to the hooking function).

For educational purposes only!

About

Bypass AMSI and Executing PowerShell scripts from C# - using CyberArk's method to bypass AMSI

Resources

Readme
Activity

Stars

30 stars

Watchers

3 watching

Forks

12 forks
Report repository

Releases

No releases published

Packages

 
 
 

Languages